Create UrlEncoder

Details

Description

To customize how URL encoding in a web app occurs, we should have a UrlEncoder component. More specifically, this can be used to customize how JSESSIONID is appended to a URL (if at all, depending on security preferences).

I totally agree - this is why I'd like it to be a customizable component where these things can be easily turned on/off instead of embedded in the ShiroHttpServletResponse implementation like it is today.

However, because Shiro must adhere to the Servlet Specification, we have to support JSESSIONID appending - but we can still strongly recommend to people that they turn it off (or even likely turn it off by default). XSS defense was also on my mind when I thought about this too - hopefully we can kill a few birds with one stone here.

Les Hazlewood
added a comment - 09/May/12 21:50 Hi Jim,
I totally agree - this is why I'd like it to be a customizable component where these things can be easily turned on/off instead of embedded in the ShiroHttpServletResponse implementation like it is today.
However, because Shiro must adhere to the Servlet Specification, we have to support JSESSIONID appending - but we can still strongly recommend to people that they turn it off (or even likely turn it off by default). XSS defense was also on my mind when I thought about this too - hopefully we can kill a few birds with one stone here.
Thanks for the feedback!!!
Les